I agree, it seems unproductive to respond. These points have been brought up repeatedly in the past, and you still don't get them. Why rehash this?
Only you continue to posit this draft [...]
An interesting view. In contrary -- I think only you are one strongly opposed to this draft.
1) check that forward and reverse entries match, but don't check what the name actually is (this could be phrased as a "consistency check").
You check that there are two records, but you don't check them. How is that a consistency check?
For example an SMTP might check that the SMTP session that initiated from IP address 1.2.3.4 would have the reverse for 1.2.3.4 point to a name, which refers back to the PTR record. The system, however, would not have white or blacklisted hosts or IP address which to check against -- this would be applied to all connections, with intention, "we don't want to allow sessions from anyone whose reverse and forward DNS entries aren't consistent, though we don't actually care at all what those DNS entries are as long as they are equivalent".
This might be more or less misguided "hijacked IP address" consistency check (where the assumption would be that those "hijacking" addresses might not be able to get a reverse delegation -- which may or may not be false).
I will not bother responding to the rest as it doesn't seem constructive, except in your later post:
The notion of r-command security seems to me to serve to discredit the contents of this draft. I cannot believe we are actually debating the view that the bsd r-commands security, that is, the in-addr based "security" assumption, is actually a good idea.
You are deliberately trying to confuse this issue, or just don't get it.
The r-command security was based on DNS, yes. But that was ALL. There was _no_ additional security at all.
Here, we have setups which are very secure already in itself (e.g., SSH with a public key), but the administrator just wants to get additional security by cutting out 99.99% of attacks before they hit the servers' port 22 -- port scans, typical script kiddie attacks, etc.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
